So I've got a 3rd party tool that will hit this end point, since its public I need to verify that the requests are coming from this tool.Here are the signature headers.X-Tool -Signature-V1Base64 encoded digital signature generated by Tool for the request.X-Tool -Cert-UrlURL to an X.509 public key certificate that should be used to verify the digital signature.X-Tool -TimestampUnix timestamp that records when the request was sent.X-Tool -Request-IDUnique id of the event that triggered the webhook request. Note: this id does not change when requests are retried.X-Tool -Organization-IDTool organization ID associated with the event.At a high level these are the steps I need to take to ensure the request is legit. I feel like I'm very close, I've got 1, 2, and 3 working but I'm not sure how to do the final verification, specifically how do I "use the certificate" like it describes below?Protect against replay attacksCompare X-Tool-Timestamp to the current time and ignore requests that are too old. We recommend a tolerance of 5 minutes.Verify the certificate URL (X-Tool-Cert-Url) and download the certificate.Ensure that the certificate URL uses the HTTPS scheme.Ensure that the host component of the certificate URL is: webhooks-auth.tool.comDownload the certificate.Generate a string containing the following data in the order listed delimited with the period character .X-Tool-TimestampX-Tool-Request-IDX-Tool-Organization-IDWebhook endpoint URLHTTP request bodyUse the certificate and the SHA-256 secure hash algorithm on the string generated in Step 3 to verify the signature.Sorry for the long post, I can share code if it helps.Thanks for taking the time to read this!
Submitted July 09, 2018 at 11:01PM by stlwebdev
No comments:
Post a Comment